|
9 | 9 |
|
10 | 10 | = Introduction to HTTP |
11 | 11 |
|
12 | | -This section covers the fundamentals of HTTP that you need to understand |
13 | | -before using the library. After reading this, you'll know how HTTP sessions |
14 | | -work, what constitutes a message, and what security pitfalls to avoid. |
15 | | - |
16 | | -== Sessions |
17 | | - |
18 | | -HTTP is a stream-oriented protocol between two connected programs: a client |
19 | | -and a server. While the connection remains open, the client sends HTTP requests |
20 | | -and the server sends HTTP responses. These messages are paired in order—each |
21 | | -request has exactly one corresponding response. |
22 | | - |
23 | | -[source] |
24 | | ----- |
25 | | -Client Server |
26 | | - | | |
27 | | - |-------- Request #1 ----------------->| |
28 | | - |<------- Response #1 -----------------| |
29 | | - | | |
30 | | - |-------- Request #2 ----------------->| |
31 | | - |<------- Response #2 -----------------| |
32 | | - | | |
33 | | - ˅ ˅ |
34 | | ----- |
35 | | - |
36 | | -An HTTP/1.1 session typically proceeds as follows: |
37 | | - |
38 | | -1. Client establishes a TCP connection to the server |
39 | | -2. Client sends a request |
40 | | -3. Server processes the request and sends a response |
41 | | -4. Steps 2-3 repeat until either party closes the connection |
42 | | - |
43 | | -=== Persistent Connections |
44 | | - |
45 | | -HTTP/1.1 connections are persistent by default. The same connection can be |
46 | | -reused for multiple request/response exchanges, avoiding the overhead of |
47 | | -establishing new TCP connections. |
48 | | - |
49 | | -A connection is closed when: |
50 | | - |
51 | | -* Either party sends `Connection: close` |
52 | | -* An error occurs during parsing or I/O |
53 | | -* A configurable idle timeout expires |
54 | | -* The underlying transport is terminated |
55 | | - |
56 | | -=== Pipelining |
57 | | - |
58 | | -HTTP/1.1 allows clients to send multiple requests without waiting for |
59 | | -responses (pipelining). Responses must arrive in the same order as requests. |
60 | | -While the protocol supports this, many implementations handle it poorly, |
61 | | -which is why this library parses one complete message at a time. |
62 | | - |
63 | | -== Messages |
64 | | - |
65 | | -HTTP messages consist of three parts: the start line, the headers, and |
66 | | -an optional message body. |
67 | | - |
68 | | -[cols="1a,1a"] |
69 | | -|=== |
70 | | -|HTTP Request|HTTP Response |
71 | | - |
72 | | -| |
73 | | -[source] |
74 | | ----- |
75 | | -GET /index.html HTTP/1.1 |
76 | | -User-Agent: Boost |
77 | | -Host: example.com |
78 | | -
|
79 | | ----- |
80 | | -| |
81 | | -[source] |
82 | | ----- |
83 | | -HTTP/1.1 200 OK |
84 | | -Server: Boost.HTTP |
85 | | -Content-Length: 13 |
86 | | -
|
87 | | -Hello, world! |
88 | | ----- |
89 | | - |
90 | | -|=== |
91 | | - |
92 | | -=== Start Line |
93 | | - |
94 | | -The start line differs between requests and responses: |
95 | | - |
96 | | -**Request line**: `method SP request-target SP HTTP-version CRLF` |
97 | | - |
98 | | -**Status line**: `HTTP-version SP status-code SP reason-phrase CRLF` |
99 | | - |
100 | | -The library validates start lines strictly. Invalid syntax is rejected |
101 | | -immediately rather than attempting recovery. |
102 | | - |
103 | | -=== Header Fields |
104 | | - |
105 | | -Headers are name-value pairs that provide metadata about the message. |
106 | | -Each header occupies one line, terminated by CRLF: |
107 | | - |
108 | | -[source] |
109 | | ----- |
110 | | -field-name: field-value |
111 | | ----- |
112 | | - |
113 | | -Important characteristics: |
114 | | - |
115 | | -* Field names are case-insensitive (`Content-Type` equals `content-type`) |
116 | | -* Field values have leading and trailing whitespace stripped |
117 | | -* The same field name may appear multiple times |
118 | | -* Order of fields with the same name is significant |
119 | | - |
120 | | -The library tracks several headers automatically and enforces their semantics: |
121 | | - |
122 | | -[cols="1a,4a"] |
123 | | -|=== |
124 | | -|Field|Description |
125 | | - |
126 | | -|*Connection* |
127 | | -|Controls whether the connection stays open. Values include `keep-alive` |
128 | | -and `close`. The library updates connection state based on this field. |
129 | | - |
130 | | -|*Content-Length* |
131 | | -|Specifies the exact size of the message body in bytes. When present, |
132 | | -the parser uses this to determine when the body ends. |
133 | | - |
134 | | -|*Transfer-Encoding* |
135 | | -|Indicates transformations applied to the message body. The library |
136 | | -supports `chunked`, `gzip`, `deflate`, and `brotli` encodings. |
137 | | - |
138 | | -|*Upgrade* |
139 | | -|Requests a protocol switch (e.g., to WebSocket). The library detects |
140 | | -this and makes the raw connection available for the new protocol. |
141 | | - |
142 | | -|=== |
143 | | - |
144 | | -=== Message Body |
145 | | - |
146 | | -The body is a sequence of bytes following the headers. Its length is |
147 | | -determined by: |
148 | | - |
149 | | -* `Content-Length` header (exact byte count) |
150 | | -* `Transfer-Encoding: chunked` (length encoded in stream) |
151 | | -* Connection close (for responses without length indication) |
152 | | - |
153 | | -The library handles body framing automatically during parsing and |
154 | | -serialization. You provide or consume the raw body bytes. |
155 | | - |
156 | | -== Security Considerations |
157 | | - |
158 | | -HTTP implementation bugs frequently lead to security vulnerabilities. |
159 | | -The library is designed to prevent common attacks by default. |
160 | | - |
161 | | -=== Request Smuggling |
162 | | - |
163 | | -Request smuggling exploits disagreements between servers about where |
164 | | -one request ends and the next begins. This happens when: |
165 | | - |
166 | | -* Multiple `Content-Length` headers have different values |
167 | | -* Both `Content-Length` and `Transfer-Encoding: chunked` are present |
168 | | -* Malformed chunk sizes are interpreted differently |
169 | | - |
170 | | -The library rejects ambiguous requests. When both `Content-Length` and |
171 | | -`Transfer-Encoding` appear, `Transfer-Encoding` takes precedence per |
172 | | -RFC 9110, and `Content-Length` is removed from the parsed headers. |
173 | | - |
174 | | -=== Header Injection |
175 | | - |
176 | | -Header injection attacks insert unexpected headers by including CRLF |
177 | | -sequences in field values. The library forbids CR, LF, and NUL characters |
178 | | -in header values—attempts to include them throw an exception. |
179 | | - |
180 | | -[source,cpp] |
181 | | ----- |
182 | | -// This throws - newlines not allowed in values |
183 | | -req.set(field::user_agent, "Bad\r\nInjected-Header: evil"); |
184 | | ----- |
185 | | - |
186 | | -=== Resource Exhaustion |
187 | | - |
188 | | -Attackers can exhaust server memory by sending: |
189 | | - |
190 | | -* Extremely long header lines |
191 | | -* Too many header fields |
192 | | -* Enormous message bodies |
193 | | - |
194 | | -The library provides configurable limits for all of these. When a limit |
195 | | -is exceeded, parsing fails with a specific error code. |
196 | | - |
197 | | -[source,cpp] |
198 | | ----- |
199 | | -// Configure limits via parser config |
200 | | -request_parser::config cfg; |
201 | | -cfg.headers.max_field_size = 8192; // Max bytes per header line |
202 | | -cfg.headers.max_fields = 100; // Max number of headers |
203 | | -cfg.body_limit = 1024 * 1024; // Max body size (1 MB) |
204 | | ----- |
205 | | - |
206 | | -=== Field Validation |
207 | | - |
208 | | -Field names must consist only of valid token characters. Field values |
209 | | -must not contain control characters except horizontal tab. The library |
210 | | -validates these constraints on every operation that creates or modifies |
211 | | -headers. |
212 | | - |
213 | | -== Next Steps |
214 | | - |
215 | | -Now that you understand HTTP message structure and session management, |
216 | | -learn how to work with the library's message containers: |
217 | | - |
218 | | -* xref:3.messages/3a.containers.adoc[Containers] — request, response, and fields types |
| 12 | +Every time you click a link, a small conversation takes place between |
| 13 | +two machines. One asks a question; the other answers it. The language |
| 14 | +they speak is HTTP, and it is the most widely used application protocol |
| 15 | +on Earth. Billions of requests flow through it every hour--web pages, |
| 16 | +images, API calls, video streams--all carried by the same simple |
| 17 | +exchange of text messages that Tim Berners-Lee sketched on a notepad |
| 18 | +in 1990. |
| 19 | + |
| 20 | +You are about to learn that language from the ground up. |
| 21 | + |
| 22 | +We start with the basics: what HTTP actually is, and how clients and |
| 23 | +servers find each other through URLs. From there you will look inside |
| 24 | +the messages themselves--their structure, the methods that give them |
| 25 | +purpose, and the status codes that report what happened. You will see |
| 26 | +how headers quietly orchestrate everything from content types to |
| 27 | +caching policies, and how content negotiation lets a single resource |
| 28 | +serve different representations to different clients. |
| 29 | + |
| 30 | +Then the picture gets more interesting. You will learn how connections |
| 31 | +are opened, reused, and closed--and why getting this right matters more |
| 32 | +than most people realize. Caching will show you how the Web avoids |
| 33 | +doing the same work twice. Authentication will reveal how identity and |
| 34 | +trust are woven into the protocol without breaking its stateless design. |
| 35 | + |
| 36 | +Finally, you will follow HTTP's evolution into its modern forms: the |
| 37 | +binary multiplexing of HTTP/2, and the QUIC-based transport of HTTP/3 |
| 38 | +that eliminates decades-old performance bottlenecks at the transport |
| 39 | +layer. |
| 40 | + |
| 41 | +None of this requires prior networking experience. Each section builds |
| 42 | +on the last, and by the end you will read raw HTTP traffic the way a |
| 43 | +mechanic reads an engine--seeing not just what is happening, but _why_. |
0 commit comments